A Wisconsin hospital employee fired for accessing the medical records of her estranged son so she could find him has been reinstated after an arbitrator called her punishment excessive.
The 30-year veteran of St. Francis Hospital in Milwaukee was fired after an investigation found she repeatedly accessed her son’s records in violation of federal privacy law.
Read more in the Associated Press, via WCCO.
So… how can an employer establish and enforce privacy policies if an arbitrator can come in afterward and decide that it is “excessive” to fire an employee who has violated HIPAA? What if the employee had only been working there 5 years and had the same explanation? What if the employee was working there 30 years but their reason for snooping was that they were terribly worried about their spouse’s health because their spouse wouldn’t tell them what was going on?
Even if we all believe the employee’s reason and have some empathy, what are the bigger implications for enforcement? Are there conditions under which repeated and knowing HIPAA violations should not result in employee termination? If so, what would they be?
Update of 8-08: A fuller version of the Associated Press story, here, provides some additional details that may or may not influence your view of the case.